To guarantee maximum security when the Web dispatcher is used, SAP recommends the following measures while it is in operation.
● Always use the latest version of the Web dispatcher.How you get and import the latest Web dispatcher is described in Operation of the SAP Web Dispatcher ® Importing the SAP Web Dispatcher.
● Configure your own error pages to ensure the technical reason for the error is not caused by the end user. Make the following setting:
icm/HTTP/error_templ_path = /usr/sap/B6M/D13/data/icmerror
setzen.
Alternatively you can set parameter is/HTTP/show_detailed_errors to FALSE. Then no information about the error is passed to the client.
For more information, see Error Handling.
● Use the Web dispatcher as a URL filter with positive lists. Definitely filter the following URLs as these provide details of the infrastructure and the configuration:
○ /sap/public/icman/*
○ /sap/public/ping
○ /sap/public/icf_info/*
Block access to the internal information page by making the following entry in your URI permission table: D /sap/wdisp/info
Fore more information see SAP Web Dispatcher as a URL Filter.
● Make the following settings to increase security for the Web Admin interface.
○ Use HTTPS to prevent the password being spied on. To do this, in the URL use an HTTPS port that you set up with parameter icm/server_port_<xx>.
○ Allow the administration of the Web dispatcher to be done only on ports with a secure protocol (HTTPS), by setting the PORT option of parameter icm/HTTP/admin_<xx> to an HTTPS port.
○ As the admin port configure a port that can only be accessed from the internal network.To do this use the PORT option of parameter icm/HTTP/admin_<xx>.
○ Only allow administration tasks to be done under a specific host name/IP address that can only be accessed from the internal network. To do this use the HOST option of parameter icm/HTTP/admin_<xx>.
○ Restrict the administration to clients in the internal network. To do this use the CLIENTHOST option of parameter icm/HTTP/admin_<xx>.
For more information see Using the Web Administration Interface.
See also:
For up to date information about security settings for the Web dispatcher see SAP note 870127.